Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Logging improvements around TLS certs #4615

Merged
merged 1 commit into from
Feb 12, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4615.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Logging improvements around TLS certs
6 changes: 2 additions & 4 deletions synapse/app/_base.py
Original file line number Diff line number Diff line change
Expand Up @@ -213,13 +213,11 @@ def refresh_certificate(hs):
Refresh the TLS certificates that Synapse is using by re-reading them from
disk and updating the TLS context factories to use them.
"""
logging.info("Loading certificate from disk...")
hs.config.read_certificate_from_disk()
hs.tls_server_context_factory = context_factory.ServerContextFactory(hs.config)
logging.info("Certificate loaded.")

if hs._listening_services:
logging.info("Updating context factories...")
logger.info("Updating context factories...")
for i in hs._listening_services:
# When you listenSSL, it doesn't make an SSL port but a TCP one with
# a TLS wrapping factory around the factory you actually want to get
Expand All @@ -234,7 +232,7 @@ def refresh_certificate(hs):
False,
i.factory.wrappedFactory
)
logging.info("Context factories updated.")
logger.info("Context factories updated.")


def start(hs, listeners=None):
Expand Down
54 changes: 36 additions & 18 deletions synapse/config/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

from synapse.config._base import Config

logger = logging.getLogger()
logger = logging.getLogger(__name__)


class TlsConfig(Config):
Expand Down Expand Up @@ -110,20 +110,10 @@ def read_certificate_from_disk(self):
"""
Read the certificates from disk.
"""
self.tls_certificate = self.read_tls_certificate(self.tls_certificate_file)

# Check if it is self-signed, and issue a warning if so.
if self.tls_certificate.get_issuer() == self.tls_certificate.get_subject():
warnings.warn(
(
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
"Please either provide a valid certificate, or use Synapse's ACME "
"support to provision one."
)
)
self.tls_certificate = self.read_tls_certificate()

if not self.no_tls:
self.tls_private_key = self.read_tls_private_key(self.tls_private_key_file)
self.tls_private_key = self.read_tls_private_key()

self.tls_fingerprints = list(self._original_tls_fingerprints)

Expand Down Expand Up @@ -250,10 +240,38 @@ def default_config(self, config_dir_path, server_name, **kwargs):
% locals()
)

def read_tls_certificate(self, cert_path):
cert_pem = self.read_file(cert_path, "tls_certificate")
return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
def read_tls_certificate(self):
"""Reads the TLS certificate from the configured file, and returns it

Also checks if it is self-signed, and warns if so

Returns:
OpenSSL.crypto.X509: the certificate
"""
cert_path = self.tls_certificate_file
logger.info("Loading TLS certificate from %s", cert_path)
cert_pem = self.read_file(cert_path, "tls_certificate_path")
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)

# Check if it is self-signed, and issue a warning if so.
if cert.get_issuer() == cert.get_subject():
warnings.warn(
(
"Self-signed TLS certificates will not be accepted by Synapse 1.0. "
"Please either provide a valid certificate, or use Synapse's ACME "
"support to provision one."
)
)

return cert

def read_tls_private_key(self, private_key_path):
private_key_pem = self.read_file(private_key_path, "tls_private_key")
def read_tls_private_key(self):
"""Reads the TLS private key from the configured file, and returns it

Returns:
OpenSSL.crypto.PKey: the private key
"""
private_key_path = self.tls_private_key_file
logger.info("Loading TLS key from %s", private_key_path)
private_key_pem = self.read_file(private_key_path, "tls_private_key_path")
return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)